[Snort-users] afpacket DAQ - large "Outstanding" number/percent

Jason Wallace jason.r.wallace at ...11827...
Tue Nov 2 10:16:27 EDT 2010


FYI...

Snort-2.9.0.1 with Daq-0.3 appears to fix this weird issue with the
outstanding packet count.



On Tue, Oct 19, 2010 at 9:11 AM, Jason Wallace
<jason.r.wallace at ...11827...> wrote:
> I'll test the patch, but I might not get to it today.
>
> Reproducible: Always
> Traffic Rate: 5-8Mb/s (if that)
> BPF: None
>
> snort.conf contains:
> config daq: afpacket
> config daq_mode: passive
> config daq_dir: /usr/lib64/daq/
>
> Command Line: Using "snort -c ./snort.conf -dev" works fine
> ===============================================================================
> Run time for packet processing was 40.730405 seconds
> Snort processed 45786 packets.
> Snort ran for 0 days 0 hours 0 minutes 40 seconds
>   Pkts/sec:         1144
> ===============================================================================
> Packet I/O Totals:
>   Received:        55240
>   Analyzed:        45786 ( 82.886%)
>    Dropped:            0 (  0.000%)
>   Filtered:            0 (  0.000%)
> Outstanding:         9454 ( 17.114%)
>   Injected:            0
> ===============================================================================
>
> Command Line: Using "snort -c ./snort.conf" does NOT seem to work
>
> Also, the "Received" number seems too high for the amount of time I ran snort.
>
> ^CCan't acquire (-1) - afpacket_daq_acquire: Poll failed: Interrupted
> system call!
> ===============================================================================
> Packet I/O Totals:
>   Received:       139172
>   Analyzed:       139204 (100.023%)
>    Dropped:            0 (  0.000%)
>   Filtered:            0 (  0.000%)
> Outstanding: 18446744073709551584 (13254637480031582.000%)
>   Injected:            0
> ===============================================================================
>
> I have attached my snort.conf also. It is stripped down because this
> sensor is currently being used for testing. Only running 5 custom
> rules.
>
> Snort Build time options:
> --enable-shared --disable-static --enable-dynamicplugin --disable-ipv6
> --enable-zlib --disable-gre --disable-mpls --disable-targetbased
> --enable-decoder-preprocessor-rules --enable-ppm
> --enable-perfprofiling --enable-linux-smp-stats
> --disable-inline-init-failopen --disable-prelude --enable-pthread
> --disable-debug --disable-debug-msgs --disable-corefiles
> --disable-active-response --disable-normalizer --enable-reload
> --enable-reload-error-restart --disable-react --disable-flexresp3
> --disable-aruba --without-mysql --without-odbc --without-postgresql
> --disable-build-dynamic-examples --disable-profile --disable-ppm-test
> --disable-dlclose --disable-intel-soft-cpm --disable-static-daq
> --without-oracle
>
> DAQ build time options:
> --disable-ipv6 --enable-pcap-module --enable-afpacket-module
> --enable-dump-module --disable-ipfw-module --disable-bundled-modules
>
> System Info:
> - Strictly a 64 bit system. No 32 bit binaries/libs at all.
> - Gentoo Linux
> - Linux XXXXXX 2.6.32-hardened-r9 #1 SMP Thu Jul 8 16:28:11 EDT 2010
> x86_64 Intel(R) Xeon(TM) CPU 3.00GHz GenuineIntel GNU/Linux
> - gcc version 4.4.4
>
> Let me know if there is any other info you need.
>
> thx,
> Wally
>
> On Tue, Oct 19, 2010 at 1:06 AM, Michael Altizer <xiche at ...3147...> wrote:
>>  Could you please try applying the attached patch[1] and confirming that the
>> issue still exists?  (This brings it up to the current status of the next
>> release and fixes some rather significant issues, but does nothing to
>> directly address the issue that you are seeing.)  Also, how reproducible is
>> the issue?  What's the approximate traffic rate when this occurs?  What does
>> your BPF look like?  What does your command line look like (inline mode,
>> etc)?
>>
>> In case you're wondering how the math works out, it's something like this:
>> 1. Kernel reports 650083 packets received on the AFPacket buffer rings when
>> queried.
>> 2. DAQ module reports 24754 packets received in its acquire loop and passed
>> to Snort.
>> 3. DAQ module reports 625332 packets received in its acquire loop and
>> fastpathed by the BPF.
>> 4. Outstanding packets is (uint64_t) (650083 - 24754 - 625332) which is
>> (uint64_t) (-3) which is 18446744073709551613.
>>
>> So the kernel is reporting it has received three fewer packets than the DAQ
>> has seen, which is a tad disconcerting.
>>
>> -Michael
>>
>> [1] patch daq-0.2/os-daq/modules/daq_afpacket.c afpacket-v3.diff
>>
>> On 10/15/2010 10:49 PM, Jason Wallace wrote:
>>>
>>> ~ # snort --daq-dir /usr/lib64/daq/ --daq-list
>>> Available DAQ modules:
>>> pcap(v3): readback live multi unpriv
>>> dump(v1): readback live inline multi unpriv
>>> afpacket(v2): live inline multi unpriv
>>>
>>>
>>> On Fri, Oct 15, 2010 at 2:07 AM, Michael Altizer<xiche at ...3147...>
>>>  wrote:
>>>>
>>>>  On 10/13/2010 03:11 PM, Jason Wallace wrote:
>>>>>
>>>>> Is anyone else seeing a strange "Outstanding" number/percent after
>>>>> exiting when using afpacket in passive mode? It only seems to occur in
>>>>> daemon mode (-D).
>>>>>
>>>>>
>>>>> Oct 13 15:05:46  snort[1331]: Can't acquire (-1) -
>>>>> afpacket_daq_acquire: Poll failed: Interrupted system call!
>>>>> Oct 13 15:05:47 snort[1331]:
>>>>>
>>>>> ===============================================================================
>>>>> Oct 13 15:05:47 snort[1331]: Packet I/O Totals:
>>>>> Oct 13 15:05:47 snort[1331]:    Received:       650083
>>>>> Oct 13 15:05:47 snort[1331]:    Analyzed:        24754 (  3.808%)
>>>>> Oct 13 15:05:47 snort[1331]:     Dropped:            0 (  0.000%)
>>>>> Oct 13 15:05:47 snort[1331]:    Filtered:       625332 ( 96.193%)
>>>>> Oct 13 15:05:47 snort[1331]: Outstanding: 18446744073709551613
>>>>> (2837598287250944.000%)
>>>>> Oct 13 15:05:47 snort[1331]:    Injected:            0
>>>>> Oct 13 15:05:47 snort[1331]:
>>>>>
>>>>> ===============================================================================
>>>>>
>>>>>
>>>>> snort # snort -V
>>>>>
>>>>>     ,,_     -*>    Snort!<*-
>>>>>    o"  )~   Version 2.9.0 (Build 68)
>>>>>     ''''    By Martin Roesch&    The Snort Team:
>>>>> http://www.snort.org/snort/snort-team
>>>>>             Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>>>>>             Using libpcap version 1.0.0
>>>>>             Using PCRE version: 7.9 2009-04-11
>>>>>             Using ZLIB version: 1.2.3
>>>>>
>>>>>
>>>>> thx,
>>>>> Wally
>>>>
>>>> Hi,
>>>>
>>>> Please confirm that you are using the 0.2 release of LibDAQ.  There were
>>>> changes to the AFPacket code between 0.1 and 0.2 that fixed an issue
>>>> with this symptom.  You can check the version of the AFPacket DAQ module
>>>> by passing the --daq-list switch to Snort; it should be v2 if it is from
>>>> the 0.2 release.
>>>>
>>>> -Michael
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Download new Adobe(R) Flash(R) Builder(TM) 4
>>>> The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
>>>> Flex(R) Builder(TM)) enable the development of rich applications that run
>>>> across multiple browsers and platforms. Download your free trials today!
>>>> http://p.sf.net/sfu/adobe-dev2dev
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>
>>
>




More information about the Snort-users mailing list